Title | AUDITING IT GOVERNANCE CONTROLS |
---|---|
Author | Stevoh Drox |
Pages | 72 |
File Size | 321.5 KB |
File Type | |
Total Downloads | 390 |
Total Views | 488 |
AUDITING IT GOVERNANCE CONTROLS FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE BCHESOLI 10/5/2016 1 AUDITING IT GOVERNANCE CONTROLS At the end of this session, participants will be able to understand and appreciate: Understand the risks of incompatible functions and how to structure the IT...
AUDITING IT GOVERNANCE CONTROLS
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
1
AUDITING IT GOVERNANCE CONTROLS At the end of this session, participants will be able to understand and appreciate: Understand the risks of incompatible functions and how to structure the IT
function
Be familiar with controls and precautions required to ensure security of an
organization’s computer facilities
Understand key elements of a Disaster Recovery Plan
Be familiar with the benefits, risks and audit issues related to IT outsourcing FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
2
IT GOVERNANCE IT governance is a subset of corporate governance that focuses on the
management and assessment of strategic IT resources
Key objectives:
o Reduce risk and o Ensure that investments in IT resources add value to the corporation.
It emphasizes that all corporate stakeholders including board of directors are
involved in key IT decisions FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
3
IT GOVERNANCE CONTROLS
Three IT Governance issues that are addressed by SOX and the COSO
internal control framework. o Organizational Structure of the IT function o Computer Center Operations
o Disaster Recovery Planning
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
4
STRUCTURE OF THE IT FUNCTION
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
5
STRUCTURING THE IT FUNCTION
The organization of the IT function has implications for nature and
effectiveness of internal controls, in turn, has implications for the audit.
Two organizational models o Centralized IT Function
o Distributed IT Function
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
6
CENTRALIZED IT FUNCTION
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
7
CENTRALIZED IT FUNCTION
CENTRALIZED DATA PROCESSING MODEL
All data processing is performed by one or more large computers housed at a
central site that serves users throughout the organization.
IT services are consolidated and managed as a shared organization resource.
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
8
CENTRALIZED IT FUNCTION Marketing
Centralized data processing [see Figure 2-1]
Finance
Production
IT services Information Cost Chargeback Distribution
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
Accounting
Data
10/5/2016
9
CENTRALIZED IT FUNCTION
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
10
CENTRALIZED IT FUNCTION
CENTRALIZED DATA PROCESSING MODEL Database administrator
Centralized location for maintaining data resources
DBA is responsible for security and integrity of database
Data Processing :
Manages resources used to perform day-to-day processing of transactions Data preparation/conversion
Computer operations
Data library (storage of off-line data files) FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
11
CENTRALIZED IT FUNCTION
CENTRALIZED DATA PROCESSING MODEL Systems Development and Maintenance System Developers
Analyzes user needs
Designs new systems to meet those needs (solution) Participants
End users (for whom system is built)
IS professionals (analysts, designers, developers/programmers) Other stakeholders e.g. Auditors (oversee the SAD process)
System Maintenance
Assumes responsibility for keeping developed systems operational and in line with current user needs They may make changes in program logic to accommodate shifts in user needs over time
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
12
SEGREGATION OF INCOMPATIBLE IT FUNCTIONS Remember COSO Objectives: o Segregate transaction authorization from transaction processing o Segregate record keeping from asset custody o Divide transaction processing steps among individuals to force collusion to
perpetrate fraud
Since IT applications tend to combine these functions, then the focus of
segregation moves to interrelationships between system development, maintenance, database administration and computer operation activities FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
13
SEGREGATION OF INCOMPATIBLE IT FUNCTIONS Separate Systems Development from Computer Operations o This is of greatest importance o Systems development professionals should not be involved in entering data,
running applications o Operations staff should run the systems and have no involvement in their actual
design and development
With detailed knowledge of logic and control and access to the application system and
utilities an individual could make unauthorized changes during program operation
On the fly changes may not leave a trace FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
14
SEGREGATION OF INCOMPATIBLE IT FUNCTIONS Separating Database Administration from other Computer Center functions o DBA is responsible for several critical tasks: o Database security o Creating database schema and user views o Assigning database access authority to users o Monitoring database usage o Planning for future changes
Delegating these to others who perform incompatible tasks threatens database integrity It should be independent of operations, system development and maintenance FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
15
SEGREGATION OF INCOMPATIBLE IT FUNCTIONS Segregate Systems Development from Maintenance o This is a better organizational structure o Two types of improvements from this approach: o Better documentation standards
o Necessary for transfer of responsibility o Deters fraud by
Denys original programmer future access to program
If fraudulent code was introduced at development it is likely to be discovered during maintenance Greater possibility of being discovered
o The success of this control depends on existence of other controls that limit, prevent and detect
unauthorized access to programs (such as source code) FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
16
DISTRIBUTED MODEL
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
17
DISTRIBUTED MODEL Distributed Data Processing (DDP) model involves reorganizing the central IT
function into small IT units placed under the control of end users. They may be distributed in terms of o Business function o Geographic location or both
Alternative A: Variant of Centralized Model o End users are empowered to handle data and processing on their own machines. They use
powerful machines (PCs) o However Systems Development, Computer Operations (in Server rooms) and Database
Administration remain centralized BCHESOLI
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
10/5/2016
18
DISTRIBUTED MODEL Alternative B: Decentralized/Network o Significant departure from centralized model o Distributes all computer services to end users, where they operate as stand alone
units. o The result is the elimination of the central IT function from the organizational
structure o The network permits communication and data transfers between the units o All data processing tasks to end-user areas FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
19
DISTRIBUTED MODEL
RISKS ASSOCIATED WITH DDP Focuses on the important issues that carry control implications that auditors
should recognize
Potential problems include: 1. Inefficient use of resources 2. Destruction of audit trails 3. Inadequate segregation of duties 4. Hiring qualified professionals 5. Lack of standards FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
20
DISTRIBUTED MODEL
RISKS ASSOCIATED WITH DDP Inefficient use of resources o Risk of Mismanagement of resources by end users
If organization-wide IT resources exceed a given threshold (eg 5%) of operations budget, effective IT governance
requires that there should be centralized management of resources
Risk of operational inefficiencies due to redundant tasks
o There is duplication of effort across organization instead of benefiting from work of others. E.g. software
developed, data duplication leading to issues in data accuracy and consistency
Risk of incompatible Hardware and software
o Responsibility of IT purchases left to end users leading to uncoordinated, poorly conceived decisions
,dissimilar technologies and different vendors o This disrupts co-ordination and connectivity within the organization FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
21
DISTRIBUTED MODEL
RISKS ASSOCIATED WITH DDP Destruction of audit trails o In DDP audit trails reside in part or entirely on end-user computers. Should a user delete or
tamper with the files, the audit trail could be destroyed, corrupted, be unrecoverable o Audit trails provide the linkage between a company’s financial activities (transactions) and financial
statements. Auditors rely on them to trace selected transactions as they give attestation service.
Inadequate segregation of duties
There would be shortfall in human resources and one person could end up performing multiple
roles. The same person would program, do maintenance, enter data and operate server room FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
22
DISTRIBUTED MODEL
RISKS ASSOCIATED WITH DDP Hiring qualified professionals o End-user managers may lack IT knowledge to know how to evaluate technical credentials and
relevant experiences of candidates applying for IT positions o Also since units are small, there would be limited opportunity for growth, continuing education and
promotion in small IT function o It would be hard to attract highly qualified IT staff leading to less qualified IT staff that brings
increased potential for errors and system failures
Lack of standards
o Due to distribution of responsibility, standards for documentation, programming languages,
acquiring hardware and software and evaluating performance may be unevenly used or be inconsistent FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
23
THE DISTRIBUTED MODEL - ADVANTAGES Advantages of DDP
1. Cost reduction o Don’t invest in large data centers and expensive systems. Unit cost of systems and technology is much lower
now o Use powerful inexpensive PCs, minicomputers o End user data entry vs. data control group o Application complexity reduced o Development and maintenance costs reduced
2. Improved cost control responsibility o End-user managers carry responsibility for financial success of their operations. DDP empowers them to have
better control on the financing and success of IT implementation
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
24
THE DISTRIBUTED MODEL - ADVANTAGES 3.Improved user satisfaction
(1) Users desire to be in control, (2) more responsive system professionals (analysts, programmers,
operators) to their specific needs and (3) users participate more in developing and implementing their systems leading to increased morale and productivity
4. Backup flexibility
In centralized model the effective way is to provide another disaster recovery site (2nd computer
facility)
Geographically distributed sites can be designed with excess capacity to provide Disaster Recovery
for other sites.
This requires close co-ordination between managers so that they do not implement incompatible
hardware/software FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
25
THE DISTRIBUTED MODEL - CONTROLLING Controlling the DDP environment
There is need for careful analysis before choosing and implementing DDP model Some organizations get into it before careful consideration and find it hard to
move out of it
Careful planning and implementation can mitigate risks previously discussed.
The completely centralized model and the distributed model represent extreme
positions. The needs of most firms fall somewhere in between the continuum
There can be several improvements to the model by implementing a Corporate
IT Function FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
26
CORPORATE IT FUNCTION Implement a Corporate IT function
Technical IT advice and expertise to whole organization
With better and specialized skills than end users would have Central systems development and database management
Centralized acquisition, testing, and implementation of commercial software and hardware This resolves many issues in incompatibility and best solutions emerge
User services through Help desk for technical support, FAQs on blogs/intranet, chat room, etc. Training of end
users
Standard-setting body - central guidance on standards for system development, programming, documentation
and hardware
Personnel review - better in evaluate credentials/expertise of potential IT staff even if the staff will be in
decentralized offices
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
27
AUDITING THE IT FUNCTION
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
28
IT FUNCTION AUDIT Audit objectives:
Conduct a risk assessment to: o Verify that the structure of the IT function is such that individuals in incompatible
areas are segregated in accordance with the level of potential risk and in a manner that promotes a working environment Formal rather than casual relationships need to exist between incompatible functions
o Verify the distributed IT units employ entity-wide standards of performance that
promotes compatibility among hardware, operating software, applications, and data FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
29
IT FUNCTION AUDIT Audit procedures:
Verify corporate policies and standards are communicated
Review relevant documentation, including current organization chart,
mission statement, key job descriptions to determine if any incompatible duties exist o Verify compensating controls are in place where incompatible duties do exist and
segregation is economically infeasible
Review systems documentation and maintenance records for a sample
of applications.Verify maintenance programmers assigned to specific projects are not also original design programmers
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
30
IT FUNCTION AUDIT Audit procedures:
Verify access controls are properly established
Verify that computer operators do not have access to the operational details
of a program’s logic
Systems documentation such as flowcharts, program code listings should not be
part of operator’s documentation
Through observation, determine that segregation policy is being followed in
practice
e.g. Review operations room access logs to determine whether programmers
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
enter facility for reasons other than system failures
10/5/2016
31
THE COMPUTER CENTER
FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
32
THE COMPUTER/DATA CENTER Auditor should examine the physical environment of the computer center as part of the annual audit.
Objectives of this section is to review: Computer Center Risks
Controls put to mitigate risk and create a secure environment
1. Physical location
Risk of destruction due to natural or man-made disaster
Should be away from human-made and natural hazards e.g. gas /water pipes, high crime, flood plain,
geographical fault lines
It should be away from normal human traffic e.g. on top floor of building or in separate self-contained building Locating it on basement increases risk of floods FIC-4030-INFORMATION SYSTEMS AUDITING-03-IT GOVERNANCE
BCHESOLI
10/5/2016
33
THE COMPUTER/DATA CENTER 2.Construction o
Ideally: single-story building with controlled access,
o
Underground telephone, power, network utilities,
o
Windowless or windows should not open
o
Use air filters to remove pollen, dust, insects
o
If multi-storied building, use top floor (away from traffic flows, and potential flooding in a basement)
3. Access o
Limited access
o
Physical: Locked doors, access using keycard or swipe card, monitoring CCTV cameras and video recording system
o
Manual: Maintain accurate access log of visitors and personnel who enter to perform any maintenance or administrative work